Financial technology (fintech) companies have reshaped the financial institution industry over recent years. Competition within the industry has accelerated due to the introduction of new fintech providers and big tech players entering the payments space. Retailers are also offering financial services through banking as a service providers. The competition, coupled with surging inflation, the war for talent, and increasing interest rates make it a challenge to lead a growing, profitable institution in today’s market.
Institutions must seek new ways to offer enhanced products and services, improve operational efficiencies, and reduce costs. Leveraging third-party fintech providers is one way to achieve this, but this strategy does not come without risk. Third-party fintech relationships differ from other vendors, given the nature and utilization of their operations. Therefore, it’s essential to perform due diligence procedures and establish monitoring controls to ensure the relationship is providing value to the institution, not creating unacceptable risk.
Consider the following categories of risk while performing a third-party risk assessment.
History provides insight into a company’s ability to deliver. Does this fintech have a long history of delivering on client obligations? Or is the fintech in its first years of operations? Even if operations have only recently begun, the company should still be able to provide client references. A track record, even if recent, can show how an organization’s operating style will match up to your needs.
Regardless of past customer experience, if a company doesn’t have the financial strength to continue operations, it will struggle to deliver on its obligations. New fintech companies saw significant investment in 2020 and 2021, but not all spent as prudently as others. Is your third-party provider able to fund operations through cash flow? Or does it rely on outside funding? If it relies on outside funding, will that funding be available the next time cash is tight? Ensuring there won’t be operational disruptions because of financial conditions will be essential for third-party risk management.
A financial institution’s compliance requirements extend to its third-party providers. Therefore, validating that a fintech partner can comply with applicable laws and regulations is essential. In fact, the Consumer Financial Protection Bureau (CFPB) recently announced that it will increase its nonbank supervision. Working with a provider under scrutiny from government agencies will bring attention to financial institutions.
To avoid heightened risk, institutions should review each fintech’s compliance processes to confirm that they are acceptable, including complaint monitoring. Financial institutions need a process to periodically review any complaints received by the third-party fintech provider. Alternatively, institutions need to be able to attest to the sufficiency of the third-party to document, review, and resolve such complaints. Monitoring or auditing a fintech company for compliance during a third-party risk assessment will ensure its standards meet the needs of the institution.
A financial institution should have insight into how a fintech company mitigates risk over its processes. By identifying the controls in place, as well as the related monitoring and auditing of those controls, the institution can determine if the fintech profile aligns with the organizational risk appetite. Auditor findings could raise questions regarding control effectiveness; however, the institution may be able to assess the magnitude of third-party risk by analyzing the reporting process of a fintech company.
Even if an institution doesn’t have an official Service Organization Controls (SOC) report, the institution should still review the Service Level Agreement (SLA) and verify that the required controls are in place. The SLA should clearly indicate the responsibilities of the financial institution and the fintech.
A financial institution needs to evaluate a fintech partner’s information technology (IT) security measures, especially for vendors. Information security practices will vary greatly depending on the stage of the company. Reviewing policies, as well as control assessments such as penetration and vulnerability testing, will help assess a fintech’s approach to information security. Recently the CFPB explained that companies with poor data security practices can be liable for damages under the CFPB’s unfair practices rule, even without an actual breach incident.
A fintech company with incident response procedures comparable to a financial institution will be a more desirable vendor. To create a successful vendor relationship, a fintech’s operational infrastructure and security measures need to be evaluated.
The importance of business continuity has become more apparent over the years as we’ve dealt with the COVID-19 pandemic, supply chain disruptions, and talent shortages. Is your third-party fintech going to be able to continue operations through unexpected disruptions? A fintech company requires processes to deal with potential interferences.
Evaluating a fintech company’s policies, including business continuity, incidence response, and disaster recovery plans, will help determine if the vendor can meet the institution’s needs. Consulting with management can also be helpful as issues impacting business continuity evolve and require changes in a vendor’s programs. Considerations may extend to data management, insurance coverage, and reliance on sub-contractors.
As the use of third-party fintechs increases, financial institutions must perform third-party risk assessments early on. The establishment of effective third-party risk management programs will ensure organizational growth in a rapidly changing market.